Resetting expectations and re-calibrating for back to work

What a difference a few months can make!

I’m writing this column during my last official night working from home. I return to my office tomorrow, taking the first steps toward our new collective normal. These past 16 months have been both frustrating and enlightening. (The viewpoint changes depending on the lens you apply.)

The frustration came from our initial response to the spread of COVID-19. The risks people were taking, the false science some were proclaiming — it shocked me as a security professional. In our profession, we try our best to weigh the risks against the goals our businesses are trying to achieve, but we use data, not emotion. It was really hard to see the emotional response some of us humans embraced during the early phases of the pandemic. And with every new wave, outbreak or surge, we realized how important it is to seek out experts and listen to their advice.

I’m hoping those lessons aren’t soon lost on our profession as we begin the journey back to our new normal. These first few steps will challenge us to ask difficult questions, to continually seek out the science and data, and present our risk assessments objectively to our executives. Our collective calm voice will undoubtedly be sought for our expertise on the risks we have yet to face.

The enlightening aspect of what I’ve experienced was witnessing the resilience of the security profession. I’ve seen security teams pivot from in-person training sessions to online seminars overnight. From use of force sessions, to collaborative risk assessment workshops, to Global Security Exchange (GSX) — our ability to adapt and adjust was impressive!
We became the team to turn to for help, regardless of the organization or the role.

I’ve chatted with many security folks these past months who took on new assignments or projects with a renewed sense of pride and strength. We found more ways to contribute to our organizations. Everything from driving computer equipment to employees’ homes so they could keep working, to checking temperatures of people entering buildings. We pitched in, leaned in to the many problems, and found creative solutions to some very difficult issues. And we did it with professionalism and teamwork.

I’m worried, though, about the next phase of our recovery. As many organizations ask their employees to start returning to work, I think we need to increase our education and awareness efforts. Employees will start heading back to their offices while still working with other teams or organizations that are still working from home. We’re going to be a blend of back at work, and work from home, for the rest of this year and probably into 2022.

This space in time is when we will be more vulnerable to threats like phishing campaigns or ransomware attacks. We’re seeing the impact these cyber-attacks have on organizations, and a significant change to our workforce (like bringing workers back to the workplace) is an opportunity the cyber-criminals won’t miss exploiting.

We can help with the transition to our new normal while reducing risks to our employees and organizations. We just need to view this time through an ESRM lens, with a human focus. Spend time with your communications team to develop short, targeted training messages on threats like phishing or ransomware. Review your security coverage for physical facilities and look at your controls from a new vantage point. We’ve been at home for so long, we need to look at security risks now from a different perspective.

We can do this well if we truly focus on the human elements of ESRM!

Tim McCreight is managing director, enterprise security, CP Rail (www.cpr.ca).